Our thinking

National security reviews 2018: A global perspective

What's inside

A guide to navigating the rules for investing in countries that require national security approval

Navigating national security reviews worldwide

As governments in various countries tighten their grip on national security reviews of foreign direct investment, the need for better assessment and calibration of the associated regulatory risk in cross-border transactions is greater than ever before

Nowhere is this trend more evident than in the United States, with the August passage of the Foreign Investment Risk Review Modernization Act (FIRRMA), which expanded the range of transactions that are subject to review by the Committee on Foreign Investment in the United States (CFIUS), and the more recent release of a pilot program under FIRRMA that instituted mandatory declarations for a broad range of transactions and put in place penalties—up to the full value of the transaction—for failure to comply. With CFIUS set to clamp down still further in coming months, CFIUS compliance is rapidly moving to the very top of the due diligence list for cross-border transactions involving US businesses.

The US is far from alone. As you will read in the pages that follow, the European Union, United Kingdom, Germany, France, China and other nations are also incrementally ratcheting up their reviews. In the UK, for instance, the government is proposing radical new legislation to allow it to intervene in cases that raise potential national security concerns. The UK government itself estimates that, under the new law, approximately 50 cases a year may end up with some form of remedy to address such concerns. In France, the new PACTE law is likely to strengthen the sanctions mechanism, extend the list of sectors subject to review and introduce some transparency into the process through annual reporting on a no-name basis of reviewed cases.

The pages that follow offer a common-sense guide to investing in major jurisdictions, a snapshot of recent regulatory changes in each, and guidance on making sound investment decisions in a time fraught with regulatory uncertainty.


United States

Deals are generally approved, but a new law increases the number and types of deals reviewed.

circuit board


While few deals are challenged in Canada, national security reviews are becoming more common and complex

satellite dishes

European Union

Proposed European foreign direct investment regulation— a first step toward harmonized European investment controls

aerial view of a river through a city in Western Europe


Deals are generally not blocked in Finland.

Helsinki, FInland


New legislation has been proposed to expand the scope of French national security reviews, especially in the technology sector, and to strengthen the powers of French authorities to impose sanctions

solar panels


Federal Ministry for Economic Affairs and Energy is enforcing a stricter regime for foreign direct investment reviews

Frankfurt, Germany


Deals are generally not blocked by the Italian government. However, in connection with the clearance process, conditions may be imposed that can have a significant impact on the investment

Milan, Italy

Russian Federation

New amendments potentially require foreign investors to disclose information about beneficiaries, beneficial owners and controlling persons as part of pre-clearance

nuclear power plant

United Kingdom

National security interventions have, with one exception, involved defense considerations

Laser in a quantum optics lab


Australia requires a wide variety of investments by foreign businesses to be reviewed and approved before completion

electric plant  transformer


China is attempting to implement a more structured and comprehensive system to keep a closer eye on economic deals that might have security implications

data center


Japan’s implementation of the 2017 amendments to FEFTA must be watched closely to see whether Japan will adopt a more aggressive stance

Tokyo Station

National security reviews 2018: China

China is attempting to implement a more structured and comprehensive system to keep a closer eye on economic deals that might have security implications

8 min read

China's Cybersecurity Law became effective on June 1, 2017. It provides additional national security review requirements and standards for companies engaged in or seeking to engage in network and data operations in China.

The ministerial review panel established by China's Ministry of Commerce (MOFCOM) pursuant to a rule issued by the State Council in 2011 (the 2011 Rule) is responsible for conducting national security reviews of foreign investments in domestic enterprises.

In addition to the 2011 Rule, China is in the process of implementing a comprehensive set of rules and regulations governing national security reviews for foreign investments. On July 1, 2015, China promulgated the new PRC National Security Law (the NSL), which is China's most comprehensive national security legislation to date. However, the NSL's main provisions do not detail how these security measures will be implemented by the relevant agencies and local authorities.

As such, the NSL's full impact on individuals and corporations in the private sector will remain unclear until relevant implementation measures are issued.


According to the 2011 Rule, MOFCOM reviews foreign-investment transactions following voluntary filings by the parties to the transaction, referrals from other governmental agencies or reports from third parties.

Under China's current regulatory system, a national security review filing applies only to mergers and acquisitions involving Chinese companies and foreign investors under circumstances provided under the 2011 Rule. The 2011 Rule prescribes that a foreign investor must apply for a national security review if the investor acquires equity in, and/or assets of, a domestic enterprise in China. In contrast, a transaction between two foreign parties involving interests in Chinese companies is not subject to the national security review requirement.


MOFCOM has circulated an unofficial list of industries in which a national security review for a foreign investment transaction is likely to be triggered. These industries mainly include military or military-related products or services, national defense-related products or services, agricultural products, energy, resources, infrastructure, significant transportation services, key technology and heavy equipment manufacturing.


The scope of review focuses on the overall risk profile and impact that various M&A transactions may have on China's national security, defense, economy and public interest.

Foreign investors targeting assets in free trade zones are subject to more stringent national security review rules. The ministerial review panel has wider discretion to terminate or restrict foreign investment transactions in these zones because, while the 2011 Rule gives the panel authority to review foreign investors that obtain "actual control" over companies in the industries listed above, rules governing free trade zones indicate that the panel is allowed also to regulate any foreign investor that has a "significant impact" on investees within the industries listed above.

Greenfield investments and investments in cultural and internet businesses established within these free trade zones through offshore and other contractual arrangements are also subject to national security reviews.


The NSL's promulgation indicates that China is attempting to implement a more structured and comprehensive system to keep a closer eye on economic deals that might have security implications. As of now, it is unclear what direction China's national security review will take due to the lack of implementation measures for the NSL. Further, the NSL specifically discusses the need for the state to pay particular attention to cybersecurity and network data protection for national security purposes. Article 25 of the NSL provides that China shall "build a network and information security safeguard system, enhance network and information security protection capabilities… achieve safe and controllable network and core information technology, critical infrastructures and information systems…."

Therefore, as part of China's overall national security initiative, China's Cybersecurity Law (the CSL) became effective on June 1, 2017. It provides additional national security review requirements and standards for companies engaged in or are seeking to engage in network and data operations in China. As such, companies must be mindful of the cybersecurity and network protection requirements under the CSL as the law places additional national security scrutiny for network operators in China.

The CSL primarily focuses on data security protection requirements and standards for critical information infrastructure operators, network operators and financial institutions to protect their networks from interference, damage and unauthorized access, along with the prevention of data leaks, thefts and falsification of information.

The Cyberspace Administration of China (CAC) serves as the primary governmental authority supervising and enforcing the CSL. A tiered network security protection will be further introduced in the future and various network operators shall comply with their corresponding level of network security requirements.

The CAC has issued various measures to supplement and clarify certain requirements of the CSL. Some of them are still in the proposed draft form. In particular, on April 11, 2017, the CAC published a draft proposal, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, together with the draft guideline on the valuation methods in August 2017. These draft rules extend the data localization requirement under the CSL for critical information infrastructure operators to other network operators, requiring such operators to undergo security assessments in order to transfer data to destinations outside of China. At this point, these drafts have not been published as final regulations; however, they represent a real possibility of what the final regulations could require.

Besides the rules on trans-border data transmission control, the Measures for the Security Review of Network Products and Services was finalized and came into effect along with the CSL on June 1, 2017, which provides detailed provisions regarding the security review standards of network products or services purchased by critical information infrastructure operators that may affect national security. The measures focus on verifying whether such products or services are "secure and controllable" and the review process will take the form of a security risk assessment of the products or services purchased by these operators. In light of the above, we expect that China will continue to issue implementation and national security review standards and requirements under the CSL, specifically targeting companies seeking to operate as critical information infrastructure operators or other network operators in China. In light of the NSL and the CSL, foreign investors should continue to monitor the developments of China's national security review process.


Until issuance of implementation rules to the NSL, foreign investors should continue to be mindful of the terms and conditions of the 2011 Rule and pay special attention to transactions that might fall within the industries that are likelier to trigger national security concerns for MOFCOM. Buyers should also be cautious when completing transactions before obtaining a national security approval, since buyers might be forced to divest the acquired assets if the transaction ultimately fails the security approval process. Due to enforcement uncertainties and the broad scope of captured industries, foreign investors interested in sensitive industries often schedule voluntary meetings with MOFCOM officials to determine the national security review risk before commencing the formal application process.


The timeline used in practice and details of the national security review process in China are unclear, as information related to each individual application is not publicly available. The notional timeline below is based on the 2011 Rule:

MOFCOM will submit an application to a ministerial panel for review within five working days if the application falls within the scope of review.

The panel will then solicit written opinions from relevant departments to assess the security impact of the transaction. It could take up to 30 working days to complete the general review process.

The panel will then conduct a special review of the application if any written opinion states that the transaction may have security implications and will conduct a more detailed security assessment of the overall impact of the transaction. A final decision from the review panel will be issued within 60 working days of the start of the special review.


  • The CSL became effective on June 1, 2017. The CSL primarily focuses on the security protection of data and information for critical information infrastructure operators and other network operators.
  • Throughout 2017, the CAC issued various draft and final measures aiming to provide more clarity to the CSL and the scope of its implementation. The CAC also made multiple proposals for public comment on additional measures aiming to extend the data localization requirement under the CSL to cover other network operators, which would require all such operators to undergo security assessments in order to transfer data to destinations outside of China.
  • We expect to see further developments and clarification on the scope and impact of the CSL in the near future, and companies should keep a close eye on how the measures proposed and finalized by the CAC under the CSL would affect their business and operations going forward.



Generally, the outcomes of a national security review are as follows:

- The investment may be approved by MOFCOM, including with mitigation conditions

- MOFCOM will terminate a foreign investment project if it fails the national security review

- If the Chinese government has national security concerns about a transaction that is not submitted for approval, parties could be subject to sanctions or mitigation measures, including a requirement to divest the acquired Chinese assets

- A foreign investor may withdraw its application for national security review only with MOFCOM's prior consent

- Decisions resulting from a national security review may not be administratively reconsidered or litigated


Click here to go back to the full magazine:
National security reviews 2018: A global perspective


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP